These years, attention has been brought to languages, such as XML, with which information is described by means of structuring the information into a hierarchical structure. XML is widely used in various fields. For example, typical use of XML is seen in the field of medical records, contracts and the like. In the case of such documents, it is desired that access permission or access rejection be capable of being set up for not only the whole of each of the documents but also each of a plurality of sets of information included in each of the documents. For example, permission of access by many people to information on a date and time of medical treatment does not bring about a problem. However, permission of access by many people to access information on the name of a disease is not desirable.
With this taken into consideration, it is desirable to provide an access control policy for specifying access permission or access rejection for each of the plurality of hierarchized nodes for a structured document including the plurality of nodes. This policy is defined as a set of multiple rules (access control rules), each of which describes whether access should be permitted or rejected for each of the nodes. In this respect, since the nodes are hierarchized, control effects (access control effects) of access permission or access rejection have dependence among nodes in the hierarchical relationship in the hierarchical structure.
Specifically, in a case where access to a particular node is permitted, access to nodes (ancestor nodes) situated higher in the hierarchy than the particular node is also permitted. Furthermore, in a case where access to a particular node is rejected, access to nodes (descendent nodes) situated lower in the hierarchy than the particular node is also rejected. As an example, in a case where a node marking a “name of a disease” exists lower in the hierarchy than a node marking a “medical record,” permission of access by the patient to the name of the disease is equal to permission of access by the patient to the medical record.
Since such dependence exists, one of the following two points also have to be determined in order to determine whether access to a particular node should be permitted or rejected. One point of the two is whether access rejection has been specified for nodes higher in the hierarchy than the particular node. The other point of the two is whether access permission has been specified for every node lower in the hierarchy than nodes which are higher in the hierarchy than the particular node. For this reason, in order to determine the access control effect on a particular node, a number of rules in the policy have to be checked.
For the purpose of controlling access efficiently, the following technique has been disclosed (see: U.S. Patent Publication 2005/0076030 and Yu, T., Srivastava, D., Lakshmanan, L. V. S., and Jagadish, H. V. [2002]. “Compressed Accessibility Map: Efficient Access Control for XML,” In Proceedings of the International Conference on Very Large Databases, pp. 478-489). In accordance with the foregoing, correspondence of the position of each of the nodes in a hierarchical structure, indicating whether access to the node position should be permitted or rejected, is stored in advance in a table, and the access control effect is efficiently obtained by means of reference to the table in response to an access request.
Access control effects may be different depending on the subject of the access requests (e.g., the access requestors and the nodes intended to be accessed). However, as far as conventional techniques are concerned, if a table entry is prepared for every access requester and for every position (path) of a node intended to be accessed in the hierarchical structure, the table size becomes larger. A scheme in which any thing which is common is shared can be adopted for the aforementioned conventional techniques in order to reduce table size.
However, in a case where there are many parts which cannot be used in common, it is likely that the table size will become larger, and that the memory space will be used to a large extent. In some cases, it is difficult to identify what range in the common parts should be updated in response to policy change. In such a case, when the policy is changed, a wide range in the table needs to be updated.